Cyware Weekly Threat Intelligence - August 28–01

Weekly Threat Briefing • Sep 1, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Sep 1, 2023
The FBI has managed to neutralize the activity of yet another notorious malware network. This week, the agency announced the dismantling of the QakBot infrastructure that was used to infect over 700,000 computers worldwide, with more than 200,000 located only in the U.S. Besides this, there’s a piece of good news for victims affected by Key Group ransomware. They can now decrypt encrypted files using a free decryption tool that is built on flaws found in the ransomware’s encryption process.
The FBI, in cooperation with European law enforcement agencies, seized 52 servers operated by QakBot operators. The agencies seized $8.6 million from the hacking group, representing illicit profits, while Dutch police secured 7.6 billion credentials from the servers. The trojan had infected over 700,000 across the globe and more than 200,000 were located in the U.S.
CERT-NZ officially joined hands with the NCSC to bolster the nation’s cyber defenses. The development comes a month after the government announced its commitment to enhance cybersecurity readiness and response. The integration marks the first step in creating a unified operational cybersecurity agency in New Zealand, with similar actions taking place in countries like Australia, the U.K, and Canada.
Cybersecurity firm EclecticIQ announced the release of a free decryption tool for the Key Group ransomware, thus, saving its victims from paying a ransom to recover their encrypted files. The researchers managed to create the tool by finding a flaw in ransomware’s encrypt routine.
Moving on to data breaches disclosed this week, three cryptocurrency platforms were in the crosshairs of a SIM-swapping attack that enabled attackers to gain unauthorized access to the sensitive details of their claimants. Separately, a reputed clothing retailer, Forever 21, and a meal delivery service, PurFoods, were notified of data breaches that impacted the personal information of millions of customers.
American entertainment giant Paramount disclosed a data breach involving the PII of around 100 individuals. The breach notification stated that the attackers had access to its systems between May and June. The firm is yet to confirm if the affected people included both its customers and employees.
London’s Metropolitan Police Service is investigating a data breach that may have exposed the personal details of 47,000 personnel, owing to an attack at a third-party vendor. The data includes names, ranks, and photographs of personnel.
Meal delivery service PurFoods disclosed that the PHI of more than 1.2 million individuals was stolen in a ransomware attack that occurred in February. The investigation determined that attackers exfiltrated the names, birth dates, Social Security numbers, driver’s license numbers, payment card data, financial account information, and medical and health information stored on systems.
The National Police of Spain warned of an ongoing LockBit Locker ransomware campaign targeting architecture companies in the country through phishing emails. The emails come from a non-existent domain fotoprix[.]eu, requesting a development plan and a cost estimate for the work from the architecture firm.
Cryptocurrency firms FTX, BlockFi, and Genesis suffered data breaches caused by a SIM-swapping attack at Kroll. By transferring a victim’s phone number to a new SIM card, the attacker successfully accessed information stored on Kroll’s systems, specifically files containing the personal information of bankruptcy claimants.
Threat actors are targeting Cisco’s ASA SSL VPNs in ongoing credential stuffing and brute-force attacks to gain initial access into networks, Rapid7 security researchers shared in a new report. These attacks have been active since March. This comes after Bleeping Computer reported last week that the Akira gang breached Cisco VPNs for initial network access.
Cybercriminals are using a variety of methods to gain unauthorized access to Airbnb accounts and steal their personal details, cookies, and account checkers. The stolen data can further be used to book properties, make fraudulent purchases, or perform identity theft. One of these methods involves the use of info-stealers, deployed using social engineering tactics.
The Ohio History Connection (OHC) shared an update in connection to a ransomware attack that successfully encrypted its internal data servers. During the attack, the attackers accessed the names, addresses, and SSNs of current and former OHC employees from 2009 to 2023.
The University of Michigan took all its systems and services offline in response to a cybersecurity incident that disrupted access to vital online services, including Google, Canvas, Wolverine Access, and emails. The university engaged with the IT team to restore the impacted systems.
A data breach notice filed by the clothing brand Forever 21 revealed that the personal data of more than half a million individuals was affected in a data breach that occurred earlier this year. The attackers had access to its systems for three months and stole data from both customers and employees.
Group-IB has a report on Classiscam operations that have enabled cybercrime groups to make nearly $65 million by targeting individuals across 79 countries, tricking them into sending money for non-existent goods sold online. First observed in 2019, the campaigns have become highly automated and can be run on a host of other services such as online marketplaces and carpooling sites.
A data breach at Topgolf Callaway exposed the personal and account details of 1.1 million customers, including those associated with Callaway’s sub-brands Odyssey, Ogio, and Callaway Gold Preowned sites. The incident occurred on August 1 and the affected data includes full names, email addresses, phone numbers, and order histories.
Meanwhile, a lesser-known threat actor group Earth Estries came under the lens of researchers for its involvement in a cyberespionage campaign targeting governments and IT companies. There were updates on new Android malware families—MMRat and Infamous Chisel—spotted in different campaigns. While MMRat was used to target mobile users in Southeast Asia, Infamous Chisel infected the Android devices of the Ukrainian military.